Submitted via IRC for SoyCow1984
Hack Brief: Google Reveals 'BuggyCow,' a Rare MacOS Zero-Day Vulnerability
When Google's team of ninja bug-hunting researchers known as Project Zero finds a hackable flaw in somebody else's code, they give the company responsible 90 days to fix it before going public with their findings—patched or not. So like clockwork, 94 days after Google alerted Apple to a bug in its MacOS operating system that could allow malware to inject data into the most privileged code running on its computers, Mountain View's hackers are revealing that fresh zero-day vulnerability to the world.
On Friday, Google's Project Zero researchers quietly published a forum post outlining a previously unknown vulnerability in MacOS, which they call BuggyCow, in a piece of proof-of-concept demonstration code. The attack takes advantage of an obscure oversight in Apple's protections on its machines' memory to enable so-called privilege escalation, allowing a piece of malware with limited privileges to, in some cases, pierce into deeper, far more trusted parts of a victim's Mac.
[...] BuggyCow continues Project Zero's practice of publicly dropping serious, unpatched security vulnerabilities in the code of major tech firms, from Apple and Facebook to Microsoft, a habit that has earned it occasional criticism from the security industry. But the group's strict 90-day deadline, Google has argued, is intended as a powerful motivator for other companies to patch their flaws quickly—an important factor given that Project Zero isn't always the only group of hackers who discover a vulnerability.
In fact, Project Zero notes that it first warned Apple about its BuggyCow flaw back in November and that the company hadn't acted to patch it ahead of last week's public reveal. Apple didn't respond to a request for comment.
(Score: 2) by All Your Lawn Are Belong To Us on Wednesday March 06 2019, @03:15PM (2 children)
Macs don't get malware, so obviously Google is in error.
This sig for rent.
(Score: 2) by Freeman on Thursday March 07 2019, @06:39PM (1 child)
While the trope is overused, abused, and wrong. The vast majority of malware is targeted directly at Windows users. So, it's hard to argue that you're not safer using an Apple or Linux device. So long as you stay away from the cesspit that is the Google Play Store.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by All Your Lawn Are Belong To Us on Thursday March 07 2019, @10:57PM
Except that the trope is still believed by enough people that it deserves repeating. I know personally of two people who believe that they are protected from malware solely because they own a Mac, and refuse to believe when I share that while they are less likely to get bitten that it's still possible. Just because it's statistically less likely to be exploited ("safer") this brings little comfort if you're in that minority of the minority that still got pwned. And much less so if you're using a Mac because you're "not a computer person." Not everybody who uses a Mac fits that description by any means, but many who are not computer people use Macs. Finally, as recently as 2012 Apple was still marketing around the concept that Macs don't get PC viruses without being honest that they've always had their own classes of viruses and malware to cope with. So to me the trope still applies, full force.
This sig for rent.